KQL Detection: Global Administrator Elevation to User Access Administrator
Azure RBAC Elevation Via User Access Admin Toggle
Query
AuditLogs
| where Category == "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName == "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.displayName)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorId = tostring(InitiatedBy.user.id)
| extend Operation = tostring(OperationName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| extend AppId = tostring(InitiatedBy.app.appId)
| project TimeGenerated, ActivityDisplayName, Category, Operation, Actor, ActorUPN, ActorId, IPAddress, AppId, Result, ResultReason, CorrelationId
| order by TimeGenerated descAbout this query
Explanation
This document explains a KQL query designed to detect when a Global Administrator in Microsoft Entra ID elevates their access to become a User Access Administrator at the Azure root level. This action allows them to manage all Azure subscriptions and management groups, which can be risky if their account is compromised. The query is intended for use in Azure Monitor Log Analytics or Microsoft Sentinel to monitor and investigate such events.
Key Points:
-
Purpose:
- The query identifies when a Global Administrator uses a specific toggle to gain broader access, potentially bypassing security principles.
- This action should be monitored closely due to its high impact.
-
Prerequisites:
- Entra ID Audit Logs must be sent to a Log Analytics workspace.
- The workspace must have an
AuditLogstable. - Appropriate permissions are required to run the query.
-
How the Query Works:
- Filters logs to find elevation actions related to Azure RBAC.
- Extracts details about the user and context of the action.
- Displays relevant information such as the user’s name, IP address, and the time of the event.
- Sorts results to show the most recent events first.
-
Running the Query:
- Can be executed in Log Analytics or Microsoft Sentinel for investigation or as part of a scheduled rule to generate alerts.
-
Interpreting Results:
- Each result row represents an elevation event.
- Key details include the time, user information, and operation result.
- Follow-up actions include verifying the user’s authorization and checking for any suspicious activity.
-
Using in Analytics Rule:
- The query can be converted into a scheduled rule in Sentinel to continuously monitor for these events and generate alerts.
-
Limitations:
- The query relies on the ingestion of Entra ID Audit Logs.
- Future changes in log structure may require updates to the query.
- Assumes only authorized Global Administrators can perform this action.
This query helps ensure that any unauthorized or unexpected access elevation is quickly identified and investigated to maintain security.
Details

Nathan Hutchinson
Released: February 2, 2026
Tables
Keywords
Operators